After some extensive SSL testing I got my domain (vps01.jvijsma.nl) to a score of 100/100/90/100. The 90 points for Key exchange bothered me, so after getting a new domain (jvijsmavps.nl) for HSTS preloading (cannot use subdomains for that) with the same server config setup, I was surprised to see that the score was 100/100/100/100.
I'm trying to figure out why vps01.jvijsma.nl is not getting the full 100 for key exchange, does anybody here have a clue? Below is some server info, thanks for any input in advance.
Apache 2.4.18 config:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" ### 4096-bit